Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Typical NGFW Module Configuration

Typical NGFW Module Configuration

NGFW modules are service cards used on switches. An NGFW module connects to a switch through two 20GE Ethernet links. On the two Ethernet links, the ports on one end are located on the switch, and the ports on the other end are located
on the NGFW module. Services need to be configured on both the switch-side and NGFW module-side, otherwise, the NGFW module cannot work normally.

The minimum NGFW module card version matching the switch is V100R001C10. These NGFW module cards are supported on the switch running V200R005C00 or later.

Layer 2 Load-Balancing Hot Standby on the NGFW Modules Installed on a Cluster Switch Where Redirection-based Traffic Diversion Is Implemented

Service Requirements

As shown in Figure 2-30, two switches form a CSS, and two NGFW Modules are installed in slot 1 of the switches respective and implement hot standby. The NGFW Modules work at Layer 2 and are
transparently connected to the network. The NGFW Modules implement security check on traffic sent by intranet users to the Internet. The traffic exchanged between different VLANs does not pass the NGFW modules. Instead, the traffic is directly forwarded
by the switches.

This example uses NGFW modules running V100R001C30 and switches running V200R008C00. For the
configuration examples of NGFW Modules running other versions, see Deployment Guide. You can search for "Deployment
Guide" in the search bar.

The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The numbering of internal Ethernet interfaces on the switch is determined by the slot
in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.

Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches
in the CSS.

Deployment Solution

The four interfaces connecting the switches to the NGFW modules are bundled into an Eth-Trunk interface, and traffic is distributed among the two NGFW Modules. The two NGFW Modules implement hot standby in
Layer-2 load balancing mode.

Add the four interfaces on the switches to Eth-Trunk 10 and four interfaces on the NGFW Modules to Eth-Trunk 1.

Redirection is configured on the switches to direct traffic exchanged between intranet users and the Internet to the NGFW Modules. Eth-Trunk 1 is configured as an interface pair (packets entering the interface are forwarded out of the same interface
after being processed) on the NGFW Modules to send traffic back to the switches.

NOTE:

When the NGFW Module works in interface pair mode, the switch cannot have the loop-detection function enabled. If the switch has the loop-detection function enabled,
broadcast packets are sent out at the interface. Because the NGFW Module works in interface pair mode, all packets received by the interface are sent out from this interface. This causes the switch to detect traffic loops and disable the interface.

The NGFW Modules implement hot standby in Layer-2 load balancing mode. Therefore, configure the VLANs to be tracked of the upstream and downstream interfaces.

After hot standby is configured, the configurations and sessions on the active device are synchronized
to the standby device; therefore, you only need to perform the following configurations on the active NGFW Module_A.

Before configuring intrusion prevention, ensure that the required license is loaded and the intrusion prevention signature database
is the latest version.

In this example, the configured security policy allows intranet users to access the Internet. To enable the Internet to access the intranet, configure a rule whose the destination address is an intranet address.

HRP_A<Module_A> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully

HRP_S<Module_B> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully

Configure the core switches to form a CSS.

Install the hardware and connect the cables. For details, see the CSS Installation Guide.

When traffic is forwarded from the switches to the NGFW Modules, the cross-board Eth-Trunk distributes the traffic. To ensure that forward and return packets are forwarded by the same NGFW Module, set the enhanced load balancing mode.
In the example, the source and destination IP addresses are used for illustration.

After receiving packets, the switch looks up the routing table to complete Layer-3 forwarding although redirection policies are configured. However, the outgoing interfaces of packets are still determined by the redirection policies.

In the example, when receiving a packet from the intranet to the Internet, the switch first looks up the routing table, changes the VLAN tag from 301 or 302 to 200 based on the default route, and then forwards the packet to the NGFW Module. After
receiving a packet from the Internet to the intranet, the switch changes the VLAN tag from 200 to 301 or 302 based on the direct route and then forwards the packet to the NGFW Module.

If no routing entry is matched, the switch forwards the packet
based on the redirection policy without changing the VLAN tag.

# Configure a default route to the Internet.

[CSS] ip route-static 0.0.0.0 0.0.0.0 10.3.0.5

Verification

Run the display hrp state command on NGFW Module_A to check the current HRP status. If the following output is displayed, an HRP relationship is successfully established.

HRP_A[Module_A] display hrp state
The firewall's config state is: ACTIVE
Backup channel usage: 0.01%
Time elapsed after the last switchover: 0 days, 0 hours, 36 minutes
Current state of interfaces tracked by active:
Eth-trunk1 (VLAN 200) : up
Eth-trunk1 (VLAN 301) : up
Eth-trunk1 (VLAN 302) : up
Current state of interfaces tracked by standby:
Eth-trunk1 (VLAN 200) : up
Eth-trunk1 (VLAN 301) : up
Eth-trunk1 (VLAN 302) : up

Check whether the access from the intranet to the Internet succeeds and check the session table of each NGFW Module.

According to the preceding output, NGFW Module_A has created a session entry for the access from the intranet to the Internet. A session entry with the Remote tag
exists on NGFW Module_B, which indicates that session backup succeeds after you configure hot standby.

Configure a PC in the Trust zone to constantly ping the public address and run the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the status switchover of the NGFW Module and discarded ping packets. If the status switchover
is normal, NGFW Module_B becomes the active and carries services. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and check
the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_A becomes the active and starts to carry service after the preemption delay (60s by default) expires. No or several ping packets (1 to
3 packets, depending on actual network environments) are discarded.

Service Requirements

As shown in Figure 2-32, two switches are deployed in a CSS and two NGFW Modules are installed in slot 1 on the two switches. The two NGFW Modules are required to implement hot standby and
perform security detection on traffic passing through the switches. Two NGFW Modules work in active/standby mode.

This example uses NGFW modules running V100R001C30 and switches running V200R008C00. For the
configuration examples of NGFW Modules running other versions, see Deployment Guide. You can search for "Deployment
Guide" in the search bar.

The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The numbering of internal Ethernet interfaces on the switch is determined by the slot
in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.

Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches
in the CSS.

Data Planning

Item

Data

Description

Hot standby

NGFW Module_A: active

NGFW Module_B: standby

-

NAT

Source NAT

NAT type: PAT

Address pool: 1.1.1.1 to 1.1.1.2

The source address is automatically translated for Internet access from a specified private subnet.

NAT Server

Global address: 1.1.1.3

Inside address: 192.168.2.8

A specified server address is translated from a private address to a public address for Internet users to access.

Security policy

Policy 1: policy_sec1

Source security zone: Trust

Destination security zone: Untrust

Source IP address: 192.168.1.0

Action: permit

Users in the Trust zone (residing on 192.168.1.0/24) are allowed to access the Internet.

Policy 2: policy_sec2

Source security zone: Untrust

Destination security zone: DMZ

Destination IP address: 192.168.2.0

Action: permit

Extranet users are allowed to access the DMZ (residing on 192.168.2.0/24), and intrusion prevention is implemented.

Deployment Solution

Two NGFW Modules form hot standby networking. The switch diverts the passing traffic to the NGFW Module through a static route. After performing security check on the traffic, the NGFW Module rejects the traffic to the switch through a static
route.

Configure VRF on the switches to virtualize the switches as virtual switch Public connecting to the public network (no VPN instance needs to be configured) and virtual switches trust and dmz respectively connecting
to the Trust zone and DMZ. Figure 2-33 shows the networking. The virtual switches are separated. Therefore, traffic will be forwarded to the NGFW Modules.

Figure 2-33 Configuring VRF on switches

Figure 2-33 can be abstracted as Figure 2-34. The NGFW Modules run static routes with upstream and downstream devices. Therefore, you need to configure VRRP groups on the NGFW Modules, so that the switches communicate
with the virtual IP addresses of VRRP groups on the NGFW Modules.

Configure a default route to the Internet on the NGFW Module, and set the next-hop address to the IP address of VLANIF201. Configure a specific route to the intranet on the NGFW
Module, and set the next-hop address to the IP address of VLANIF202. Figure 2-34 shows the networking. On the virtual switch Public, configure static routes to the Trust zone and DMZ and set the next-hop address to the IP address
of VRRP group 1. On the virtual switch trust, configure a default route to the Internet and set the next-hop address to the IP address of VRRP group 2. On the virtual switch dmz, configure a default route to the Internet and set the next-hop
address to the IP address of VRRP group 3.

Figure 2-34 Configuring VRRP groups on the NGFW Modules and static routes on the switches

NOTE:

Figure 2-34 lists only the switch interfaces involved in the connection with the NGFW Modules.

Bundle GE0/0/1 and GE0/0/2 interfaces on the panel of each NGFW Module into an Eth-Trunk0 interface, which functions as the heartbeat interface and backup channel and enable hot standby.

# On NGFW Module_A, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201.

[Module_A] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4

# On NGFW Module_A, configure
a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address of VLANIF202 on the connected switch.

[Module_A] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4

# On NGFW Module_A, configure a downstream static route to the DMZ, with the destination address being the address of the DMZ and next-hop address being the address of VLANIF203 on the connected switch.

[Module_A] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4

# On NGFW Module_A, configure a black-hole route to an address in the source NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.

# On NGFW Module_A, configure a black-hole route to the global address of the NAT server to prevent routing loops. In this example, the global address of the NAT server is 1.1.1.3.

[Module_A] ip route-static 1.1.1.3 255.255.255.255 null 0

# On NGFW Module_B, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201 on the connected switch.

[Module_B] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4

# On NGFW Module_B, configure a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address
of VLANIF202 on the connected switch.

[Module_B] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4

# On NGFW Module_B, configure a downstream static route to the DMZ, with the destination address being the address of the
DMZ and next-hop address being the address of VLANIF203 on the connected switch.

[Module_B] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4

# On NGFW Module_B, configure a black-hole route to an address in the source
NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.

After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device;
therefore, you only need to perform the following configurations on the active NGFW Module_A.

Before configuring intrusion prevention, ensure that the required license is loaded and the intrusion prevention signature database is the latest version.

# Configure the NAT server function to translate the private address of a specific server in the DMZ into a public address for user access. In this example, private address 192.168.2.8:80 of the web server
in the DMZ is translated into public address 1.1.1.3:8000.

HRP_A<Module_A> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully

HRP_S<Module_B> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully

Configure the core switches to form a CSS.

Install the hardware and connect the cables. For details, see the CSS Installation Guide.

[CSS] ip route-static 1.1.1.1 32 10.3.1.1//Configure a static route to an address in the NAT address pool of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group 1 on the NGFW Module.
[CSS] ip route-static 1.1.1.2 32 10.3.1.1//Configure a static route to an address in the NAT address pool of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group 1 on the NGFW Module.
[CSS] ip route-static 1.1.1.3 32 10.3.1.1//Configure a static route to the global address of the NAT server configured on the NGFW Module and set the next-hop address of the route to the IP address of the upstream VRRP group 1 on the NGFW Module.
[CSS] ip route-static vpn-instance trust 0.0.0.0 0.0.0.0 10.3.2.1//Configure a default route on the trust virtual switch and set the next hop to the virtual IP address of VRRP group 2.
[CSS] ip route-static vpn-instance dmz 0.0.0.0 0.0.0.0 10.3.3.1//Configure a default route on the dmz virtual switch and set the next hop to the virtual IP address of VRRP group 3.
[CSS] ip route-static vpn-instance trust 192.168.2.0 255.255.255.0 vpn-instance dmz 10.1.2.1//Route from the Trust zone to the DMZ. 10.1.2.1 is the IP address of the VLANIF 205 interface of the access switch.
[CSS] ip route-static vpn-instance dmz 192.168.1.0 255.255.255.0 vpn-instance trust 10.1.1.1//Route from the DMZ to the Trust zone. 10.1.1.1 is the IP address of the VLANIF 204 interface of the access switch.

NOTE:

In the example, NAT is configured on the NGFW Modules. Therefore, configure static routes from the Public virtual switch to the Trust zone and DMZ, and the destination IP addresses in the routes should be post-NAT public IP addresses.
If NAT is not configured on the NGFW Modules, the destination IP addresses in the routes must be private IP addresses respectively in the Trust zone and DMZ when you configure static routes from the Public virtual switch to the two zones.

In the
example, communication packets between the Trust zone and DMZ are not processed by the NGFW Modules. If the enterprise requires that the NGFW Modules process the communication packets between the Trust zone and DMZ, set the next hop to the IP address
of the downlink VRRP group on the NGFW Modules when you configure the route for the communications between the Trust zone and DMZ.

Verification

Run the display hrp state command on NGFW Module_A to check the current HRP status. If the following output is displayed, an HRP relationship is successfully established.

According to the preceding output, NGFW Module_A has created a session entry for the access from the intranet to the Internet. A session entry with
the Remote tag exists on NGFW Module_B, which indicates that session backup succeeds after you configure hot standby.

Check whether the access from the Internet to servers in the DMZ succeeds and check the session table of each NGFW Module.

Configure a PC in the Trust zone to constantly ping the public address and run the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the status switchover of the NGFW Module and discarded ping packets. If the status switchover
is normal, NGFW Module_B becomes the active and carries services. The command prompt of NGFW Module_B is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_A is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets,
depending on actual network environments) are discarded.

Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW
Module_A becomes the active and starts to carry service after the preemption delay (60s by default) expires. The command prompt of NGFW Module_A is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_B is changed from HRP_A to HRP_S. No
or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed on a Cluster Switch Where PBR-based Traffic Diversion Is Implemented

Service Requirements

As shown in Figure 2-35, two switches are deployed in a CSS and two NGFW Modules are installed in slot 1 on the two switches. The two NGFW Modules are required to implement hot standby and
perform security detection on traffic passing through the switches. Two NGFW Modules work in active/standby mode.

This example uses NGFW modules running V100R001C30 and switches running V200R008C00. For the
configuration examples of NGFW Modules running other versions, see Deployment Guide. You can search for "Deployment
Guide" in the search bar.

The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The numbering of internal Ethernet interfaces on the switch is determined by the slot
in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.

Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches
in the CSS.

Data Planning

Item

Data

Description

Hot standby

NGFW Module_A: active

NGFW Module_B: standby

-

NAT

Source NAT

NAT type: PAT

Address pool: 1.1.1.1 to 1.1.1.2

The source address is automatically translated for Internet access from a specified private subnet.

NAT Server

Global address: 1.1.1.3

Inside address: 192.168.2.8

A specified server address is translated from a private address to a public address for Internet users to access.

Security policy

Policy 1: policy_sec1

Source security zone: Trust

Destination security zone: Untrust

Source IP address: 192.168.1.0

Action: permit

Users in the Trust zone (residing on 192.168.1.0/24) are allowed to access the Internet.

Policy 2: policy_sec2

Source security zone: Untrust

Destination security zone: DMZ

Destination IP address: 192.168.2.0

Action: permit

Extranet users are allowed to access the DMZ (residing on 192.168.2.0/24), and intrusion prevention is implemented.

Deployment Solution

Figure 2-35 can be abstracted as Figure 2-36. You can understand the mapping between the two figures based on interface numbers and actual traffic directions.

As shown in Figure 2-36, a default
route (next hop: VLANIF201) to the public network, a specific route (next hop: VLANIF202) to the Trust zone, and a specific route (next hop: VLANIF203) to the DMZ need to be configured on the NGFW modules. PBR needs to be configured on the switches to
direct traffic to the firewalls.

Figure 2-36 Configuring VRRP on the NGFW modules and PBR on the switches

NOTE:

Figure 2-36 lists only the switch interfaces involved in the connection with the NGFW Modules.

Specify Eth-trunk0 as the heartbeat interface and enable hot standby on each NGFW Module.

# On NGFW Module_A, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201.

[Module_A] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4

# On NGFW Module_A, configure
a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address of VLANIF202 on the connected switch.

[Module_A] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4

# On NGFW Module_A, configure a downstream static route to the DMZ, with the destination address being the address of the DMZ and next-hop address being the address of VLANIF203 on the connected switch.

[Module_A] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4

# On NGFW Module_A, configure a black-hole route to an address in the source NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.

# On NGFW Module_A, configure a black-hole route to the global address of the NAT server to prevent routing loops. In this example, the global address of the NAT server is 1.1.1.3.

[Module_A] ip route-static 1.1.1.3 255.255.255.255 null 0

# On NGFW Module_B, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201 on the connected switch.

[Module_B] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4

# On NGFW Module_B, configure a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address
of VLANIF202 on the connected switch.

[Module_B] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4

# On NGFW Module_B, configure a downstream static route to the DMZ, with the destination address being the address of the
DMZ and next-hop address being the address of VLANIF203 on the connected switch.

[Module_B] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4

# On NGFW Module_B, configure a black-hole route to an address in the source
NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.

After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device;
therefore, you only need to perform the following configurations on the active NGFW Module_A.

Before configuring intrusion prevention, ensure that the required license is loaded and the intrusion prevention signature database is the latest version.

# Configure the NAT server function to translate the private address of a specific server in the DMZ into a public address for user access. In this example, private address 192.168.2.8:80 of the web server
in the DMZ is translated into public address 1.1.1.3:8000.

HRP_A<Module_A> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully

HRP_S<Module_B> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully

Configure the core switches to form a CSS.

Install the hardware and connect the cables. For details, see the CSS Installation Guide.

In this example, the source NAT and NAT server functions are configured on the NGFW Module. For the switch, the destination address of traffic sent from the public network the private network is a post-NAT address. Therefore, you can
configure a static route on the switch to direct the traffic sent from the public address to the private network to the NGFW Module.

If no source NAT or NAT server function is configured on the NGFW Module, for the switch, the destination address
of traffic sent from the public network to the private network is still a private network. In this case, you need to configure a traffic policy on the upstream interface of the switch to direct the traffic to the NGFW Module.

According to the preceding output, NGFW Module_A has created a session entry for the access from the intranet to the Internet. A session entry with
the Remote tag exists on NGFW Module_B, which indicates that session backup succeeds after you configure hot standby.

Check whether the access from the Internet to servers in the DMZ succeeds and check the session table of each NGFW Module.

Configure a PC in the Trust zone to constantly ping the public address and run the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the status switchover of the NGFW Module and discarded ping packets. If the status switchover
is normal, NGFW Module_B becomes the active and carries services. The command prompt of NGFW Module_B is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_A is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets,
depending on actual network environments) are discarded.

Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW
Module_A becomes the active and starts to carry service after the preemption delay (60s by default) expires. The command prompt of NGFW Module_A is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_B is changed from HRP_A to HRP_S. No
or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed
on a Cluster Switch Where VLAN-based Traffic Diversion Is Implemented

Service Requirements

As shown in Figure 2-37, two switches form a CSS, and two NGFW Modules
are installed in slot 1 of the switches respective and implement hot
standby. The NGFW modules implement security check on traffic sent
by intranet users to access the server area or the Internet.

This example uses NGFW modules running V100R001C30 and switches running V200R008C00. For the
configuration examples of NGFW Modules running other versions, see Deployment Guide. You can search for "Deployment
Guide" in the search bar.

Figure 2-37 Switch CSS and NGFW Module hot standby networking

NOTE:

The NGFW Module has two fixed internal Ethernet interfaces:
GE1/0/0 to GE1/0/1. The numbering of internal Ethernet interfaces
on the switch is determined by the slot in which the NGFW Module is
installed. For example, when the NGFW Module is installed in slot
1 on the switch, the internal Ethernet interfaces used by the switch
are XGE1/1/0/0 to XGE1/1/0/1.

Eth-Trunk2 and Eth-Trunk3 are
interfaces of the switches in the CSS.

Deployment Solution

The NGFW Modules work
at Layer 3, and the upstream and downstream network gateways point
to the NGFW Modules. The switches work at Layer 2.

The interfaces connecting each NGFW Module and switch are bundled
into an Eth-Trunk interface. The Eth-Trunk interface is Eth-Trunk
1 on each NGFW Module, Eth-Trunk 10 on the SwitchA, and Eth-Trunk
11 on the SwitchB.

The Eth-Trunk at the switch side is configured to work in Trunk
mode and allows packets from VLANs 301, 302, and 200 to pass. Configure
three Eth-Trunk subinterfaces at the NGFW Module side to carry out
dot1q termination for packets from VLANs 301, 302, and 200 respectively
and perform Layer-3 forwarding.

Two NGFW modules form hot standby in active/standby mode. Therefore,
a VRRP group needs to be configured on the upstream and downstream
subinterfaces of each NGFW Module. One NGFW Module is added to an
active VGMP group, and the other NGFW Module is added to a standby
VGMP group.

The virtual gateway IP addresses of the VRRP group
are the gateway addresses of the downstream and upstream networks.

After hot standby is configured, the configurations
and sessions on the active device are synchronized to the standby
device; therefore, you only need to perform the following configurations
on the active NGFW Module_A.

Before configuring intrusion
prevention, ensure that the required license is loaded and the intrusion
prevention signature database is the latest version.

HRP_A<Module_A> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully

HRP_S<Module_B> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully

Configure the core switches to form a CSS.

Install the hardware and connect the cables. For details, see the CSS Installation Guide.

According to the preceding output, NGFW Module_A has created a
session entry for the access from the intranet to the Internet. A
session entry with the Remote tag exists on NGFW Module_B, which indicates
that session backup succeeds after you configure hot standby.

Check whether the access from users in the intranet to servers
succeeds and check the session table of each NGFW Module.

Configure a PC in the Trust zone to constantly ping the public
address and run the shutdown command on Eth-trunk1 of NGFW
Module_A. Then check the status switchover of the NGFW Module and
discarded ping packets. If the status switchover is normal, NGFW Module_B
becomes the active device and carries services. The command prompt
of NGFW Module_B is changed from HRP_S to HRP_A, and the command prompt
of NGFW Module_A is changed from HRP_A to HRP_S. No or several ping
packets (1 to 3 packets, depending on actual network environments)
are discarded.

Run the undo shutdown command on Eth-trunk1
of NGFW Module_A and check the status switchover of the NGFW Module
and discarded ping packets. If the status switchover is normal, NGFW
Module_A becomes the active device and starts to carry service after
the preemption delay (60s by default) expires. The command prompt
of NGFW Module_A is changed from HRP_S to HRP_A, and the command prompt
of NGFW Module_B is changed from HRP_A to HRP_S. No or several ping
packets (1 to 3 packets, depending on actual network environments)
are discarded.